Developer James Fisher has discovered an exploit in Google Chrome for Android that can be used for phishing attacks. The exploit, dubbed “inception bar” by Fisher, takes advantage of the fact that the browser hides the address bar when a users scrolls down a page – when that happens the exploit displays a fake address bar, making the phishing site look like a legitimate one. When the user scrolls up again, the exploit can force Chrome into keeping the real address bar hidden so the user will not know any better. This attack can be used to trick users into thinking that they are on, say, a legitimate banking website so they will enter their username and password. While this exploit also works on Apple devices, it won’t fool anyone as the iOS version of Chrome doesn’t hide the address bar when a user scrolls down so they will see both the fake and real address bars.

Source: The Star April 30, 2019 06:56 UTC